Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Daiji Sanai

advertisement 
Promiscuous node detection
using ARP packets
Daiji Sanai
<hyler@securityfriday.com>
SecurityFriday.com
README.TXT
Promiscuous Mode
My speech
English
2
Agenda
Hardware filter
Address Resolution Protocol
Software filter
Promiscuous detection
Exception
3
Hardware filter
Unicast (to host)
Broadcast
Multicast
All multicast
Promiscuous
4
Unicast (to host)
The packet to the HW address of the
device is passed.
Pass
Reject
NIC 00:11:22:33:44:55
To 00:11:22:33:44:01
To 00:11:22:33:44:55
5
Broadcast
Packet to broadcast (FF:FF:FF:FF:FF:FF)
is passed
Pass
NIC 00:11:22:33:44:55
To FF:FF:FF:FF:FF:FF
6
Multicast
The address registered in the multicast
list is passed.
Pass
Reject
NIC 00:11:22:33:44:55
To 01:00:5e:00:00:02
To 01:00:5e:00:00:01
7
Multicast List
01:00:5e:00:00:01
01:00:5e:00:00:03
All multicast
The multicast packet of all groups
passes.
What is the multicast packet?
It is the packet where the group
bit is set to multicast.
8
All multicast (2)
The packet which sets the group bit is
passed

Group bit
HW Address:
01:02:03:04:05:06
0000 0001 | 0000 0010 | 0000 0011 |........
group bit
9
All multicast (3)
The packet which sets the group bit is
passed
Pass
Reject
NIC 00:11:22:33:44:55
To 02:00:00:00:00:01
To 01:00:00:00:00:01
10
Promiscuous
All packets are passed.
Pass
NIC 00:11:22:33:44:55
To xx:xx:xx:xx:xx:xx
11
Default HW filter
Unicast

HW Address
(ex. 00:11:22:33:44:55)
Broadcast

FF:FF:FF:FF:FF:FF
Multicast

Multicast address 1
01:00:5E:00:00:01
12
ARP
Address Resolution Protocol

Protocol to search for HW address which
corresponds to IP address
13
ARP (2)
Requested IP address is set in the ARP
packet.
The packet is sent to the broadcast
address.
The requested node replies with its’ HW
address.
14
Packet format of ARP
ARP packet (request)
6bytes:
6bytes:
2bytes:
2bytes:
2bytes:
1byte:
1byte:
2bytes:
6bytes:
4bytes:
6bytes:
4bytes:
Ethernet address of destination
Ethernet address of sender
Protocol type (ARP=0806)
Hardware address space (ethernet=01)
Protocol address space (IPv4=0800)
byte length of hardware address
byte length of protocol address
opcode (arp request=01 ,arp reply=02)
Hardware address of sender of this packet
Protocol address of sender of this packet
Hardware address of target of this packet
Protocol address of target
15
FF FF FF FF FF FF
00 11 22 33 44 55
08 06
00 01
08 00
06
04
00 01
00 11 22 33 44 55
My IP
00 00 00 00 00 00
Target IP
Test 1
Does not set the broadcast address in
the HW Address of the ARP Packet.
IP:192.168.1.10
IP:192.168.1.10
No Reply
NIC(normal)
NIC(promisc)
To 00:00:00:00:00:01
To 00:00:00:00:00:01
Arp request(192.168.1.10)
Arp request(192.168.1.10)
16
Consideration of test 1
Why is there no reply ?

Something is set in the software filter.
What kind of filter ?


Multicast?
Broadcast?
17
linux/arp.c (1)
if (in_dev == NULL ||
arp->ar_hln != dev->addr_len ||
dev->flags & IFF_NOARP ||
skb->pkt_type == PACKET_OTHERHOST ||
skb->pkt_type == PACKET_LOOPBACK ||
arp->ar_pln != 4)
goto out;
switch (dev_type) {
default:
if (arp->ar_pro != __constant_htons(ETH_P_IP))
goto out;
if (htons(dev_type) != arp->ar_hrd)
goto out;
break;
18
//check hw addr length
//no arp
//otherhost packet
//loopback packet
//ipv4
//ip protocol 0800
//check hw device
linux/arp.c (2)
if (arp->ar_op != __constant_htons(ARPOP_REPLY) &&
request or reply
arp->ar_op != __constant_htons(ARPOP_REQUEST))
goto out;
//arp
/*
* Check for bad requests for 127.x.x.x and requests for multicast
* addresses. If this is one such, delete it.
*/
if (LOOPBACK(tip) || MULTICAST(tip)) //loopback or multicast
goto out;
Check IP Address
19
linux/arp.c (3)
filter of ARP module





ARP message is correct.
A packet is not OTHERHOST.
A packet is not LOOPBACK.
Request IP Address is not loopback.
Request IP Address is not multicast.
ARP responds if the HW address of the packet is
TO_US, BROADCAST, or MULTICAST.
20
Classification of packet
In the software
What is a TO_US packet ?
 What is a MULTICAST packet?
 What is a BROADCAST packet?

21
linux/eth.c (1)
if(*eth->h_dest&1)
{
if(memcmp(eth->h_dest,dev->broadcast, ETH_ALEN)==0)
skb->pkt_type=PACKET_BROADCAST;
else
skb->pkt_type=PACKET_MULTICAST;
}
/*
*
*
*
*
*
*/
This ALLMULTI check should be redundant by 1.4
so don't forget to remove it.
Seems, you forgot to remove it. All silly devices
seems to set IFF_PROMISC.
else if(1 /*dev->flags&IFF_PROMISC*/)
{
if(memcmp(eth->h_dest,dev->dev_addr, ETH_ALEN))
skb->pkt_type=PACKET_OTHERHOST;
}
22
linux/eth.c (2)
group bit = 1 ?
yes
no
h_addr = dev_addr ?
yes
no
otherhost
h_addr = broadcast ?
yes
no
to us
23
multicast
ARP Response
broadcast
for Linux
gr
bit
normal mode
promiscuous mode
hw
filter
sw
filter
res.
hw
filter
sw
filter
res.
→
→
P
→
→
P
reject
-
→
reject
broadcast
→
→
P
→
→
P
multicast
→
→
P
→
→
P
reject
-
-
→
→
P
reject
-
-
→
→
P
to_us
other host
(in the list)
multicast
(not in the list)
group
off
on
24
SW filter of Windows
I do not know.
I have not seen the source code.
However, there is something in the filter.
Test 2
25
Test 2
A special HW address is set and tested.







FF:FF:FF:FF:FF:FFBroadcast
FF:FF:FF:FF:FF:FE
Fake broadcast (31bits)
FF:FF:00:00:00:00
Fake broadcast (word)
FF:00:00:00:00:00
Fake broadcast (byte)
01:00:5E:00:00:00
Multicast address 0
01:00:5E:00:00:01
Multicast address 1
01:00:00:00:00:00
Group bit
OS

Windows9x/2000,Linux
26
Result 2
HW Address
Windows9x/ME
Windows2k/NT4
Linux2.2/2.4
normal
promisc
normal
promisc
normal
promisc
FF:FF:FF:FF:FF:FF
P
P
P
P
P
P
FF:FF:FF:FF:FF:FE
-
P
-
P
-
P
FF:FF:00:00:00:00
-
P
-
P
-
P
FF:00:00:00:00:00
-
P
-
-
-
P
01:00:00:00:00:00
-
-
-
-
-
P
01:00:5E:00:00:00
-
-
-
-
-
P
01:00:5E:00:00:01
P
P
P
P
P
P
27
Exception 1
Old NIC does not support the multicast
list.

EtherLink III etc.
 A multicast list isn't supported.
 Default is all multicast.

The packet which sets the group bit is passed
28
Exception 2
Linux+3c905 (Dell on board is the same.)
is always all multicast
The installer automatically sets it to the older
driver 3c59x.o (in which ,multicast list isn't supported.).
When the newer driver ,3c90x.o, is set it is
correct.
29
Exception 3
Windows2000 dynamically loaded driver



WinPcap2.1 and
SMS(Systems Management Server)
normally responds to FF:FF:00:00:00:00.
responds to FF:FF:FF:FF:FF:FE in
promiscuous
30
Demonstration
my pc
Windows
2000
Ethernet (172.18.21.*)
Windows
2000
RedHat7.0
malicious user 1
malicious user 2
31
Test tool
You can download the test tool from
our site.
 PromiScan
http://www.securityfriday.com/
# Please report your test results to us. #
32
Contact Information


Daiji Sanai
hyler@securityfriday.com
SecurityFriday
http://www.securityfriday.com/
33
Thank you
34
Related documents
Algebra 1 Preparing for Success Packet
Algebra 1 Preparing for Success Packet
Chapter 10
Chapter 10
Summer Review Packet for Students Entering Algebra 1
Summer Review Packet for Students Entering Algebra 1
Sportfolio Criteria - JCB Physical Education
Sportfolio Criteria - JCB Physical Education
Warriors of the net questions 1. What three things are put on the
Warriors of the net questions 1. What three things are put on the
Warriors of the Net Questions:
Warriors of the Net Questions:
File
File
Summer Review Packet for Students Entering Algebra 2 Honors
Summer Review Packet for Students Entering Algebra 2 Honors
Download
advertisement